Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.
Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.
However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache.
Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper was released this month and spotted by The Register.
The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.
"The root cause for Spoiler is a weakness in the address speculation of Intel's proprietary implementation of the memory subsystem, which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler," they write.
They also looked for the same weakness in Arm and AMD processor cores but didn't find the same behavior that is present in Intel chips.
Spoiler depends on "a novel microarchitectural leakage, which reveals critical information about physical page mappings to user space processes".
"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS, and also works from within virtual machines and sandboxed environments."
SEE: 10 tips for new cybersecurity pros (free PDF)
The researchers say that Intel has confirmed receipt of their findings on December 1, 2018. However, they note Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits. Meanwhile hardware mitigations could address the issue but would almost certainly mean a hit on CPU performance.
Daniel (Ahmad) Moghimi, one of the paper's authors, told The Register he doubts Intel will be able to patch the issue in the memory subsystem within the next five years.
"My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.
"So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."
An Intel spokesperson said in a statement that software can be protected from Spoiler attacks while DRAM modules with Rowhammer mitigations still should remain shielded.
"Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."
Previous and related coverage
KB4482887, released today, enables Google's Retpoline mitigation in the Windows 10 kernel (only for v1809 users).
People want more control over the Spectre mitigations for the sake of performance.
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
Experiments showed that processors from AMD, ARM, and Intel are affected.
Patch is causing as much as a 50 percent drop in performance in some Linux workloads.
Google's Retpoline fix for the Spectre Variant 2 flaw helps minimize performance hit on Windows 10 machines
Intel's license for its microcode security fixes no longer prevents developers from publishing benchmark results.
You can test performance after using our patches, but don't publish the results, say Intel's new license terms.
Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.
The patches, as expected, brought Linux's performance down, but their impact has not been as bad as feared.
Oracle has new fixes available for Spectre flaws affecting Linux systems on Intel and AMD chips.
A Google developer discovered a new way that a 'Spectre'-style check can be used to attack any computer running any operating system.
Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.
A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.
Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.
AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.
A handful of CPU families that Intel was due to patch will now forever remain vulnerable.
Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.
Intel makes progress on reissuing stable microcode updates against the Spectre attack.
Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."
Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.
Since the beginning of 2018, the number of cases has risen from three to 32.